A typical user authentication mechanism verifies a user's credentials, such as by validating a username and password, as the user attempts to access a protected resource (e.g., a server accessed via the Internet). However, using such a traditional authentication mechanism, if the username and password are stolen by a malicious entity, the entity may access the user's account from anywhere in the world through any device, resulting in undesirable security risks.
Another authentication scenario involves a user attempting to login to a remote device. A user authentication mechanism can authenticate the user but it may also be relevant to make certain that the remote device is actually the trusted device the user expects it to be. For example, a user may attempt a login to a remote server in order to upload confidential files. If the authentication process does not verify both the user's credentials and the device's credentials, the user may upload the confidential files to the wrong server. The risk of being wrong about which device one is accessing introduces severe security risks.